SlideShare uma empresa Scribd logo

Os Rash

oscon2007
oscon2007
Tecnologia
1 de 40
Iptables Attack Visualization Michael Rash Security Architect Enterasys Networks, Inc. http://www.cipherdyne.org/ OSCON 2007­07­26   Copyright (C) 2007 Michael Rash 1
Agenda Why visualize iptables log data? ● context and change – iptables log message formats and data  – completeness New psad­2.0.8 release with Gnuplot interface ● Honeynet Project Scan34 iptables  ● visualizations (see http://www.honeynet.org) Gnuplot – AfterGlow –   Copyright (C) 2007 Michael Rash 2
Why Visualize Data? Consider the following set of values (each value  ● represents the number of packets to unique  TCP ports per minute): 5, 4, 2, 1, 3, 4, 55, 58, 70, 85, 120, 9, 2, 3, 1, 5, 4   Copyright (C) 2007 Michael Rash 3
Seeing the Trend   Copyright (C) 2007 Michael Rash 4
Graph Types Gnuplot ● Dots, points, lines through points – Good at seeing  – trends and relationships in large data sets (>  100,000 points) 3D mode with interactive viewing – AfterGlow ● Link Graphs – Good at expressing network  – relationships with IP addresses    Copyright (C) 2007 Michael Rash 5
Iptables Log Data Graphs will only be as good as the data source  ● permits Iptables logs include nearly every interesting  ● field for both the network and transport layer  headers – we just need an effective way to  parse and then visualize this data Iptables log messages can be tied to  ● application layer string matches via the string  match extension (see fwsnort)   Copyright (C) 2007 Michael Rash 6
iptables IP Header Coverage   Copyright (C) 2007 Michael Rash 7
iptables TCP Header Coverage   Copyright (C) 2007 Michael Rash 8
iptables TCP Log Message Jul 11 20:21:22 minastirith kernel: [199]  SID1361 ESTAB IN=eth1 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=60  TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF  PROTO=TCP SPT=28778 DPT=80 WINDOW=5840  RES=0x00 ACK PSH URGP=0 OPT  (0101080A02A041D20CC386B1)   Copyright (C) 2007 Michael Rash 9
iptables UDP Header Coverage   Copyright (C) 2007 Michael Rash 10
iptables UDP Log Message Jul 11 20:50:54 minastirith kernel: [153]  SID2001597 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=40  TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF  PROTO=UDP SPT=32046 DPT=61 LEN=20   Copyright (C) 2007 Michael Rash 11
iptables ICMP Header Coverage   Copyright (C) 2007 Michael Rash 12
iptables ICMP Log Message Jul 11 20:57:18 minastirith kernel: [98]  SID2003294 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=128  TOS=0x00 PREC=0x00 TTL=63 ID=53466  PROTO=ICMP TYPE=8 CODE=0 ID=27459 SEQ=0   Copyright (C) 2007 Michael Rash 13
psad­2.0.8 release Interfaces with Gnuplot – parses iptables log data  ● according to header field requirements and builds both a  data file and a directives file for Gnuplot Various counting modes are supported across different  ● time scales Granular requirements on iptables field values (including  ● negation) Gnuplot works best with integer data (separated by  ● commas or spaces), so IP addresses need to be  translated into integer equivalents   Copyright (C) 2007 Michael Rash 14
psad­2.0.8 release (cont'd) psad ­­gnuplot command line arguments: ●     ­­gnuplot­graph­style ­ “points”, “dots”, “linespoints”     ­­gnuplot­file­prefix ­ <file>.gnu, <file>.dat, <file>.png     ­­gnuplot­title – Graph title (used for psad command line)     ­­gnuplot­sort­style – time sorting vs. value sorting     ­­gnuplot­3D – Use “splot” for three­dimensional viewing     ­­gnuplot­view – Set viewing angle   Copyright (C) 2007 Michael Rash 15
The Honeynet Scan34 Data Set The goal of a Honeynet is to collect data on real  ● compromises – packet traces and log data is an excellent  learning tool Over 170,000 lines of iptables log data in the Scan34  ● challenge – covers a five week period Contains evidence of port scans, port sweeps, worm traffic  ● (Slammer, Nachi), and an outright compromise of a  system – we will visualize these graphically All IP addresses are sanitized to 11.11.0.0/16 ● http://www.honeynet.org/ ●   Copyright (C) 2007 Michael Rash 16
Port Scans Packets to many different ports from a single  ● source address Not just SYN packets, think of Nmap ­sF, ­sN,  ● ­sX, ­sA, (also ­sU for UDP) Visualize with IP address vs. the number of  ● packets to unique ports   Copyright (C) 2007 Michael Rash 17
psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:countuniq” ­­gnuplot­graph points  ­­gnuplot­xrange 0:26500 –gnuplot­ file­prefix portscan   Copyright (C) 2007 Michael Rash 18
Visualizing Port Scans (IP vs.  Packet Count to Unique Ports)   Copyright (C) 2007 Michael Rash 19
psad Gnuplot data files # Generated by psad v2.0.8 (file revision: 2092) # Command line: 'psad ­m iptables.data ­­gnuplot ­­CSV­fields src:not11.11.0.0/16  dp:countuniq ­­gnuplot­graph points ­­gnuplot­xrange 0:26500 ­­gnuplot­file­prefix  portscan ­­use­store portscan.store' # Time stamp:  Sun Jul  8 13:43:28 2007 905, 66  ### 905=60.248.80.102  12415, 10  ### 12415=63.135.2.15  15634, 10  ### 15634=63.186.32.94  24950, 10  ### 24950=218.85.9.143  16374, 8  ### 16374=63.204.104.150    Copyright (C) 2007 Michael Rash 20
When Did the Heaviest Scan  Occur?   Copyright (C) 2007 Michael Rash 21
psad Analysis of Scanner:  60.248.80.102 psad ­m iptables.data ­A ­­analysis­fields quot;src:60.248.80.102quot; SRC:  60.248.80.102, DL: 2, Dsts: 1, Pkts: 67, Unique sigs: 3 DST: 11.11.79.125         Scanned ports: UDP 7­43981, Pkts: 53, Chain: FORWARD, Intf: br0         Scanned ports: TCP 68­32783, Pkts: 14, Chain: FORWARD, Intf: br0         Signature match: quot;POLICY vncviewer Java applet download attemptquot;         TCP, Chain: FORWARD, Count: 1, DP: 5802, SYN, Sid: 1846         Signature match: quot;PSAD­CUSTOM Slammer communication attemptquot;         UDP, Chain: FORWARD, Count: 1, DP: 1434, Sid: 100208         Signature match: quot;RPC portmap listing UDP 32771quot;         UDP, Chain: FORWARD, Count: 1, DP: 32771, Sid: 1281   Copyright (C) 2007 Michael Rash 22
Port Sweeps Packets to a single port number across many  ● hosts Good evidence of an automated worm (or  ● human) that can exploit a specific vulnerability  in a particular service Visualize with external IP addresses vs.  ● destination ports vs. packet count   Copyright (C) 2007 Michael Rash 23
psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:count” ­­gnuplot­graph points -- gnuplot-3d ­­gnuplot­view 74,77 ­­ gnuplot­file­prefix portsweep   Copyright (C) 2007 Michael Rash 24
Visualizing Port Sweeps (IP vs.  Destination Port vs. Packet Count)   Copyright (C) 2007 Michael Rash 25
The Top Port Sweeper:  200.216.205.189 vs. TCP/3306   Copyright (C) 2007 Michael Rash 26
The Top Port Sweeper (Link Graph)   Copyright (C) 2007 Michael Rash 27
Slammer Worm Exploited a vulnerability in MS SQL Server  ● 2000 Single 404­byte UDP packet to port 1434 ● One of the fastest spreading worms in history ● Can easily be spoofed – useless to return ICMP  ● port unreachable with your IDS; need to block  the packet with an IPS and patch the  vulnerability   Copyright (C) 2007 Michael Rash 28
Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Hours)   Copyright (C) 2007 Michael Rash 29
Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Minutes)   Copyright (C) 2007 Michael Rash 30
Nachi Worm Exploits Windows 2000 and XP systems that  ● are not patched against the MS03­026  vulnerability Always sends a 92­byte ICMP echo request to  ● a target system before attempting to exploit the  vulnerability This ICMP packet makes the worm easy to  ● detect   Copyright (C) 2007 Michael Rash 31
Nachi Worm (92­Byte ICMP Packet  vs. Hours)   Copyright (C) 2007 Michael Rash 32
  Copyright (C) 2007 Michael Rash 33
Detecting A Compromised System  with Outbound Connections Honeynet systems should not make outbound  ● connections to external networks (except for  administrative or reporting communication with  known addresses) SSH and IRC connections are particularly  ● suspicious   Copyright (C) 2007 Michael Rash 34
Outbound Connections   Copyright (C) 2007 Michael Rash 35
   
Iptables Logging Args When building iptables LOG rules: ● Use ­­log­ip­options – Use ­­log­tcp­sequence – Use ­­log­tcp­options – More attacks can be detected, and operating  – systems can be passively fingerprinted   Copyright (C) 2007 Michael Rash 37
3D Graphing Demo...   Copyright (C) 2007 Michael Rash 38
No Starch Press, Sept 2007   Copyright (C) 2007 Michael Rash 39
Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org   Copyright (C) 2007 Michael Rash 40

Recomendados

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
DataWorks Summit
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
InfluxData
 
DRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesDRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing Architectures
Mohamed Mehdi Ben Aissa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
APNIC
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios
 
Adaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAdaptive Query Optimization in 12c
Adaptive Query Optimization in 12c
Anju Garg
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandre
oscon2007
 
Os Vilain
Os VilainOs Vilain
Os Vilain
oscon2007
 

Recomendados

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
DataWorks Summit
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
InfluxData
 
DRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesDRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing Architectures
Mohamed Mehdi Ben Aissa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
APNIC
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios
 
Adaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAdaptive Query Optimization in 12c
Adaptive Query Optimization in 12c
Anju Garg
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandre
oscon2007
 
Os Vilain
Os VilainOs Vilain
Os Vilain
oscon2007
 
Os Racicot
Os RacicotOs Racicot
Os Racicot
oscon2007
 
Os Capouch
Os CapouchOs Capouch
Os Capouch
oscon2007
 
Os Ramani
Os RamaniOs Ramani
Os Ramani
oscon2007
 
Os Keller
Os KellerOs Keller
Os Keller
oscon2007
 
Os Oram
Os OramOs Oram
Os Oram
oscon2007
 
Os Bernier
Os BernierOs Bernier
Os Bernier
oscon2007
 
Programming the PS3
Programming the PS3Programming the PS3
Programming the PS3
Olivier Grisel
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network Topology
The Linux Foundation
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
Prathan Phongthiproek
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelm
oscon2007
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
Michael Zhang
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Canada
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop Ecosystem
Gyula Fóra
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
Chris John Riley
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Nelson Calero
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNA
Dawood Aqlan
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devops
Timothy Spann
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
Cisco Canada
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018
Amazon Web Services
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
Redge Technologies
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PROIDEA
 

Mais conteúdo relacionado

Destaque

Destaque (6)

Os Racicot
Os RacicotOs Racicot
Os Racicot
 
Os Capouch
Os CapouchOs Capouch
Os Capouch
 
Os Ramani
Os RamaniOs Ramani
Os Ramani
 
Os Keller
Os KellerOs Keller
Os Keller
 
Os Oram
Os OramOs Oram
Os Oram
 
Os Bernier
Os BernierOs Bernier
Os Bernier
 

Semelhante a Os Rash

Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop Ecosystem
Gyula Fóra
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
Chris John Riley
 

Semelhante a Os Rash (20)

Programming the PS3
Programming the PS3Programming the PS3
Programming the PS3
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network Topology
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelm
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop Ecosystem
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNA
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devops
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practices
 
Statsd introduction
Statsd introductionStatsd introduction
Statsd introduction
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetry
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining
 

Mais de oscon2007

J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Tour
oscon2007
 
Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5
oscon2007
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifm
oscon2007
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Mole
oscon2007
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashears
oscon2007
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swp
oscon2007
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Myths
oscon2007
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholistic
oscon2007
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillips
oscon2007
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdated
oscon2007
 

Mais de oscon2007 (20)

J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Tour
 
Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5
 
Os Borger
Os BorgerOs Borger
Os Borger
 
Os Harkins
Os HarkinsOs Harkins
Os Harkins
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifm
 
Os Bunce
Os BunceOs Bunce
Os Bunce
 
Yuicss R7
Yuicss R7Yuicss R7
Yuicss R7
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Mole
 
Os Fogel
Os FogelOs Fogel
Os Fogel
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashears
 
Os Tucker
Os TuckerOs Tucker
Os Tucker
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swp
 
Os Furlong
Os FurlongOs Furlong
Os Furlong
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Myths
 
Os Kimsal
Os KimsalOs Kimsal
Os Kimsal
 
Os Pruett
Os PruettOs Pruett
Os Pruett
 
Os Alrubaie
Os AlrubaieOs Alrubaie
Os Alrubaie
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholistic
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillips
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdated
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Os Rash

  • 1. Iptables Attack Visualization Michael Rash Security Architect Enterasys Networks, Inc. http://www.cipherdyne.org/ OSCON 2007­07­26   Copyright (C) 2007 Michael Rash 1
  • 2. Agenda Why visualize iptables log data? ● context and change – iptables log message formats and data  – completeness New psad­2.0.8 release with Gnuplot interface ● Honeynet Project Scan34 iptables  ● visualizations (see http://www.honeynet.org) Gnuplot – AfterGlow –   Copyright (C) 2007 Michael Rash 2
  • 3. Why Visualize Data? Consider the following set of values (each value  ● represents the number of packets to unique  TCP ports per minute): 5, 4, 2, 1, 3, 4, 55, 58, 70, 85, 120, 9, 2, 3, 1, 5, 4   Copyright (C) 2007 Michael Rash 3
  • 4. Seeing the Trend   Copyright (C) 2007 Michael Rash 4
  • 5. Graph Types Gnuplot ● Dots, points, lines through points – Good at seeing  – trends and relationships in large data sets (>  100,000 points) 3D mode with interactive viewing – AfterGlow ● Link Graphs – Good at expressing network  – relationships with IP addresses    Copyright (C) 2007 Michael Rash 5
  • 6. Iptables Log Data Graphs will only be as good as the data source  ● permits Iptables logs include nearly every interesting  ● field for both the network and transport layer  headers – we just need an effective way to  parse and then visualize this data Iptables log messages can be tied to  ● application layer string matches via the string  match extension (see fwsnort)   Copyright (C) 2007 Michael Rash 6
  • 7. iptables IP Header Coverage   Copyright (C) 2007 Michael Rash 7
  • 8. iptables TCP Header Coverage   Copyright (C) 2007 Michael Rash 8
  • 9. iptables TCP Log Message Jul 11 20:21:22 minastirith kernel: [199]  SID1361 ESTAB IN=eth1 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=60  TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF  PROTO=TCP SPT=28778 DPT=80 WINDOW=5840  RES=0x00 ACK PSH URGP=0 OPT  (0101080A02A041D20CC386B1)   Copyright (C) 2007 Michael Rash 9
  • 10. iptables UDP Header Coverage   Copyright (C) 2007 Michael Rash 10
  • 11. iptables UDP Log Message Jul 11 20:50:54 minastirith kernel: [153]  SID2001597 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=40  TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF  PROTO=UDP SPT=32046 DPT=61 LEN=20   Copyright (C) 2007 Michael Rash 11
  • 12. iptables ICMP Header Coverage   Copyright (C) 2007 Michael Rash 12
  • 13. iptables ICMP Log Message Jul 11 20:57:18 minastirith kernel: [98]  SID2003294 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=128  TOS=0x00 PREC=0x00 TTL=63 ID=53466  PROTO=ICMP TYPE=8 CODE=0 ID=27459 SEQ=0   Copyright (C) 2007 Michael Rash 13
  • 14. psad­2.0.8 release Interfaces with Gnuplot – parses iptables log data  ● according to header field requirements and builds both a  data file and a directives file for Gnuplot Various counting modes are supported across different  ● time scales Granular requirements on iptables field values (including  ● negation) Gnuplot works best with integer data (separated by  ● commas or spaces), so IP addresses need to be  translated into integer equivalents   Copyright (C) 2007 Michael Rash 14
  • 15. psad­2.0.8 release (cont'd) psad ­­gnuplot command line arguments: ●     ­­gnuplot­graph­style ­ “points”, “dots”, “linespoints”     ­­gnuplot­file­prefix ­ <file>.gnu, <file>.dat, <file>.png     ­­gnuplot­title – Graph title (used for psad command line)     ­­gnuplot­sort­style – time sorting vs. value sorting     ­­gnuplot­3D – Use “splot” for three­dimensional viewing     ­­gnuplot­view – Set viewing angle   Copyright (C) 2007 Michael Rash 15
  • 16. The Honeynet Scan34 Data Set The goal of a Honeynet is to collect data on real  ● compromises – packet traces and log data is an excellent  learning tool Over 170,000 lines of iptables log data in the Scan34  ● challenge – covers a five week period Contains evidence of port scans, port sweeps, worm traffic  ● (Slammer, Nachi), and an outright compromise of a  system – we will visualize these graphically All IP addresses are sanitized to 11.11.0.0/16 ● http://www.honeynet.org/ ●   Copyright (C) 2007 Michael Rash 16
  • 17. Port Scans Packets to many different ports from a single  ● source address Not just SYN packets, think of Nmap ­sF, ­sN,  ● ­sX, ­sA, (also ­sU for UDP) Visualize with IP address vs. the number of  ● packets to unique ports   Copyright (C) 2007 Michael Rash 17
  • 18. psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:countuniq” ­­gnuplot­graph points  ­­gnuplot­xrange 0:26500 –gnuplot­ file­prefix portscan   Copyright (C) 2007 Michael Rash 18
  • 19. Visualizing Port Scans (IP vs.  Packet Count to Unique Ports)   Copyright (C) 2007 Michael Rash 19
  • 20. psad Gnuplot data files # Generated by psad v2.0.8 (file revision: 2092) # Command line: 'psad ­m iptables.data ­­gnuplot ­­CSV­fields src:not11.11.0.0/16  dp:countuniq ­­gnuplot­graph points ­­gnuplot­xrange 0:26500 ­­gnuplot­file­prefix  portscan ­­use­store portscan.store' # Time stamp:  Sun Jul  8 13:43:28 2007 905, 66  ### 905=60.248.80.102  12415, 10  ### 12415=63.135.2.15  15634, 10  ### 15634=63.186.32.94  24950, 10  ### 24950=218.85.9.143  16374, 8  ### 16374=63.204.104.150    Copyright (C) 2007 Michael Rash 20
  • 21. When Did the Heaviest Scan  Occur?   Copyright (C) 2007 Michael Rash 21
  • 22. psad Analysis of Scanner:  60.248.80.102 psad ­m iptables.data ­A ­­analysis­fields quot;src:60.248.80.102quot; SRC:  60.248.80.102, DL: 2, Dsts: 1, Pkts: 67, Unique sigs: 3 DST: 11.11.79.125         Scanned ports: UDP 7­43981, Pkts: 53, Chain: FORWARD, Intf: br0         Scanned ports: TCP 68­32783, Pkts: 14, Chain: FORWARD, Intf: br0         Signature match: quot;POLICY vncviewer Java applet download attemptquot;         TCP, Chain: FORWARD, Count: 1, DP: 5802, SYN, Sid: 1846         Signature match: quot;PSAD­CUSTOM Slammer communication attemptquot;         UDP, Chain: FORWARD, Count: 1, DP: 1434, Sid: 100208         Signature match: quot;RPC portmap listing UDP 32771quot;         UDP, Chain: FORWARD, Count: 1, DP: 32771, Sid: 1281   Copyright (C) 2007 Michael Rash 22
  • 23. Port Sweeps Packets to a single port number across many  ● hosts Good evidence of an automated worm (or  ● human) that can exploit a specific vulnerability  in a particular service Visualize with external IP addresses vs.  ● destination ports vs. packet count   Copyright (C) 2007 Michael Rash 23
  • 24. psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:count” ­­gnuplot­graph points -- gnuplot-3d ­­gnuplot­view 74,77 ­­ gnuplot­file­prefix portsweep   Copyright (C) 2007 Michael Rash 24
  • 25. Visualizing Port Sweeps (IP vs.  Destination Port vs. Packet Count)   Copyright (C) 2007 Michael Rash 25
  • 26. The Top Port Sweeper:  200.216.205.189 vs. TCP/3306   Copyright (C) 2007 Michael Rash 26
  • 27. The Top Port Sweeper (Link Graph)   Copyright (C) 2007 Michael Rash 27
  • 28. Slammer Worm Exploited a vulnerability in MS SQL Server  ● 2000 Single 404­byte UDP packet to port 1434 ● One of the fastest spreading worms in history ● Can easily be spoofed – useless to return ICMP  ● port unreachable with your IDS; need to block  the packet with an IPS and patch the  vulnerability   Copyright (C) 2007 Michael Rash 28
  • 29. Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Hours)   Copyright (C) 2007 Michael Rash 29
  • 31. Nachi Worm Exploits Windows 2000 and XP systems that  ● are not patched against the MS03­026  vulnerability Always sends a 92­byte ICMP echo request to  ● a target system before attempting to exploit the  vulnerability This ICMP packet makes the worm easy to  ● detect   Copyright (C) 2007 Michael Rash 31
  • 32. Nachi Worm (92­Byte ICMP Packet  vs. Hours)   Copyright (C) 2007 Michael Rash 32
  • 33.   Copyright (C) 2007 Michael Rash 33
  • 34. Detecting A Compromised System  with Outbound Connections Honeynet systems should not make outbound  ● connections to external networks (except for  administrative or reporting communication with  known addresses) SSH and IRC connections are particularly  ● suspicious   Copyright (C) 2007 Michael Rash 34
  • 35. Outbound Connections   Copyright (C) 2007 Michael Rash 35
  • 36.    
  • 37. Iptables Logging Args When building iptables LOG rules: ● Use ­­log­ip­options – Use ­­log­tcp­sequence – Use ­­log­tcp­options – More attacks can be detected, and operating  – systems can be passively fingerprinted   Copyright (C) 2007 Michael Rash 37
  • 38. 3D Graphing Demo...   Copyright (C) 2007 Michael Rash 38
  • 39. No Starch Press, Sept 2007   Copyright (C) 2007 Michael Rash 39
  • 40. Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org   Copyright (C) 2007 Michael Rash 40